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It is a longstanding open problem to devise an oracle relative to which BQP does not lie in the 
Polynomial-Time Hierarchy (PH). We advance a natural conjecture about the capacity of the Nisan- 
Wigderson pseudorandom generator [NW94] to fool ACq, with MAJORITY as its hard function. Our 
conjecture is essentially that the loss due to the hybrid argument (which is a component of the standard 
proof from [NW94J) can be avoided in this setting. This is a question that has been asked previously in 
the pseudorandomness literature [BSW03|. We then make three main contributions: 
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1. We show that our conjecture implies the existence of an oracle relative to which BQP is not in the 



\mJ • PH. This entails giving an explicit construction of unitary matrices, realizable by small quantum 

C/3 , circuits, whose row-supports are "nearly-disjoint." 

O , „ 1 

2. We give a simple framework (generalizing the setting of Aaronson [Aarl0b|) in which any effi- 
ciently quantumly computable unitary gives rise to a distribution that can be distinguished from 

kJ the uniform distribution by an efficient quantum algorithm. When applied to the unitaries we con- 

iy~, ■ struct, this framework yields a problem that can be solved quantumly, and which forms the basis 

f^*) \ for the desired oracle. 

3. We prove that Aaronson's "GLN conjecture" BAarlObl implies our conjecture; our conjecture is 
thus formally easier to prove. The GLN conjecture was recently proved false for depth greater than 
2 [ Aarl0a|, but it remains open for depth 2. If true, the depth-2 version of either conjecture would 
imply an oracle relative to which BQP is not in AM, which is itself an outstanding open problem. 



Taken together, our results have the following interesting interpretation: they give an instantiation of the 
Nisan-Wigderson generator that can be broken by quantum computers, but not by the relevant modes of 
classical computation, if our conjecture is true. 
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1 Introduction 

Let Ut denote a random variable uniformly distributed on t-bit strings. A pseudorandom generator (PRG) 
is a function 

/:{0,l} i ^{0,l} m 

that stretches a short "seed" into a longer output string, with the property that f(Ut) is computationally 
indistinguishable from the uniform distribution. 

There is a vast literature constructing PRGs that achieve computational indistinguishability against a 
wide variety of computational models (e.g. small circuits, small nondeterministic circuits, small branching 
programs, small constant-depth circuits). These constructions are typically "hardness vs. randomness" 
tradeoffs in the sense that they make use of a hard function (either unconditionally hard, or hard conditioned 
on a complexity assumption), and their proof of correctness takes the form of a reduction that transforms 
a computationally efficient distinguisher into an efficient algorithm for the hard function (thereby deriving 
a contradiction). This transformation entails the use of the hybrid argument [GM84, Yao82] which incurs 
a loss of a factor 1/m in going from a distinguisher (with gap e) to a. predictor (with advantage e/m) and 
from there to an efficient algorithm (with advantage e/m). 

A question that has been raised in the pseudorandomness literature is whether this loss of a factor of 1/m 
can be avoided (for an explicit framing of this question, and a discussion of its motivation, see [BSW03]). 
In certain settings, the answer is known to be "yes" - when the notion of "efficient" is small PH circuits, 
or bounded- width branching programs [BSW03]. In the present paper, we identify a setting in which this 
question has surprising connections to a central unresolved question in quantum complexity: whether there 
exists an oracle relative to which BQP is not in the PH. 

Our setting is a familiar one: we will work with the ubiquitous Nisan-Wigderson PRG [NW94], against 
ACq circuits, with MAJORITY as its hard function. We need a precise statement for the discussion below, 
which can be given via two standard definitions: 

Definition 1.1 ([NW94]). A set family T> = {S\, S 2 , ■ ■ ■ , S m } is an (£,p) design if every set in the family 
has cardinality £, and for all i 7^ j, \ Si n Sj | ^ p. 

Definition 1.2 ( INW941 ). Given a function f : {0, l} e -> {0, 1} and an (£,p) design V = {S x , S 2 , . . . , S m } 
in a universe of size t, the function NW-p : {0, 1} — > {0, l} m is given by 

NWl{x) = (fx(x\ Sl ), f 2 (x\s 2 ), f 3 (x\ S3 ), . . . , f m (x\ Sm )) , 

where each /, is the function f with a fixed set of its inputs negated^} and X\g denotes the projection of x to 
the coordinates in the set S. 

Generally speaking, the function NW^, is a PRG against a class of distinguishers as long as / is hard 
on average for that class of distinguishers. Recall that the majority function on £ bits is known to be hard 
for ACq. no polynomial-size (or even quasi-polynomial-size), constant-depth circuit can compute majority 
correctly on more than a 1/2 + 0(l/y/l) fraction of the inputs |S mo93llHas87ll . and this is essentially tight, 
since the function that simply outputs the first bit of the input is correct on a random input with probability 
1/2 + G(l/y/£). We make the following quantitative conjecture: 



'The standard setup has each fi = /; we need the additional freedom in this paper for technical reasons. We know of no settings 
in which this alteration affects the analysis of the NW generator. 



Conjecture 1. Let V = {Si, S2, ■ ■ ■ , S m } be an (£, 0{l))-design in a universe of size t ^ poly(£), with 
m ^ poly(£). Then for every constant-depth circuit of size at most exp(poly log m), 

I Pv[C(U t+m ) = 1] - Pi[C(U t ,NW^ A]ORlTY (U t )) = 1]| <; (1). 

In this work we abuse notation and refer to constant depth circuits of size at most exp(polylogm) as 

"AC r 

By the standard argument from [NW94, Nis92], a distinguishing circuit C with gap e can be converted 
to a predictor with advantage e/m and then a slightly larger circuit that computes MAJORITY with success 
rate 1/2 + e/m. Thus the above statement is true for m <C VI; if the 1/m loss from the hybrid argument 
can be avoided (or reduced), it would be true for m as large as poly(£) (and even larger) as we conjecture is 
true. In Section [6] we discuss intuition supporting this conjecture that relates specifically to the hardness of 
MAJORITY for ACq. 

This paper contains three main results, which together make Conjecture [Q interesting and worthy of 
further study: 

• We show that our conjecture implies the existence of an oracle relative to which BQP is not in the PH, 
and would thus resolve a major question in quantum complexity. We are encouraged by the fact that 
our conjecture is recognizable as a natural question in pseudorandomness that has been previously 
and independently studied (e.g., in [BSW03]). 

The crucial component in showing that our conjecture is sufficient for the existence of an oracle 
relative to which BQP is not in the PH, is an explicit construction of unitary matrices whose row- 
supports form an (^,p)-design. We give such a construction and show how to realize these matrices 
with small quantum circuits in Section @] This is the technical core of the paper. 

• We generalize the setting of [AarlOb] (which proposed a so-called forrelated distribution as one that 
is easy to distinguish from uniform by a quantum computer, but possibly hard for A Co) to a simple 
framework in which any efficiently quantumly computable unitary U gives rise to a distribution that 
can be distinguished from uniform by a quantum computer (and Aaronson's setup is recovered by 
choosing U to be a DFT matrix). 

Together with our construction of explicit unitaries whose row-supports form an (£,p)-design, this 
framework has the following interesting interpretation: it gives an instantiation of the Nisan-Wigderson 
generator that can be broken by quantum computers, but not by the relevant modes of classical com- 
putation, if Conjecture Q] is true. 

Also of independent interest is the fact the unitaries that form the basis of our quantum algorithms 
don't seem to resemble the DFT matrices for problems in the Hidden Subgroup framework, or even 
the few other unitaries used in known quantum algorithms. But they possess natural extremal com- 
binatorial (as opposed to algebraic) properties, and we wonder if they can be useful elsewhere in the 
quantum realm. 

• We show that the "Nisan-Wigderson" distribution (U t , NW^ AiORnY (U t )) is e-almost /c-wise inde- 
pendent, in the sense of Aaronson HAarlObl . whose "GLN conjecture" asserted that all such distribu- 
tions fool ACq; a depth-3 counterexample was later found MAarlOal . Whether all such distributions 
fool depth-2 ACq remains open. A distribution in our general framework (thus efficiently quantumly 
distinguishable from uniform) that fools depth-2 AC® would imply an oracle relative to which BQP 
is not in AM, a weaker (and still unresolved) version of the BQP vs. PH problem. Thus there are 



two potential routes to resolving this weaker version of the main problem (the depth-2 version of our 
conjecture, and the depth-2 version of the GLN conjecture); ours is formally easier, and arguably 
conceptually easier because its connection to the pseudorandomness literature suggests initial lines of 
attack. 

Finally, since [AarlOb] has shown that the classes SZK and BPP^^fa require exponentially many 
queries to distinguish e-almost /c-wise independent distributions from uniform, our constructions uncondi- 
tionally yield oracles relative to which BQP does not lie in either of these classes (and MA as well, since 
MA C BPP~ a fa), just as Aaronson's construction does. 

1.1 The BQP vs. PH question 

The quest for an oracle relative to which BQP is not in the PH dates to the foundational papers of the field; 
the question was first asked by Bernstein and Vazirani [BV93] in the early 1990's. They also gave an oracle 
problem, RECURSIVE FOURIER SAMPLING, that is regarded as a promising candidate (but there have been 
as yet no real inroads on a potential proof). Currently, oracles are known relative to which BQP is not in 
MA [WatOOI . but no relativized worlds are known in which BQP is not in AM. Obtaining an oracle relative 
to which BQP is not in the PH thus represents a stubborn, longstanding and fundamental problem whose 
resolution would help clarify the relationship between BQP and classical complexity classes. In recent 
progress, Aaronson MAarlObl devised a relation oracle problem that lies in the function version of BQP 
but not in the function version of the PH, but this still leaves the original problem open. Aaronson's work 
[AarlOb] also has a detailed account of the many motivations for revisiting (and hopefully resolving!) this 
problem, and we refer the interested reader to the introduction of MAarlObl for many more details. 

In this paper we will find it convenient to speak almost exclusively about the "scaled down" version of the 
problem, which is equivalent via the well-known connection between PH and ACq. In it, the goal is to design 
a promise problem (rather than an oracle) that lies in (promise)-BQLOGTIME but not (promise)-^! Co We 
will drop the cumbersome "promise" modifiers when they are clear from context. The class BQLOGTIME 
is the class of languages decidable by quantum computers that have random access to an A-bit input, and 
use only 0(log N) steps. 

Definition 1.3 (BQLOGTIME). A language L is in BQLOGTIME if it can be decided by a LOGTIME- 

uniform family of circuits {C n }, where each C n is a quantum circuit on n qubits. On an (N = 2 n )-bit 
input x, circuit C n applies 0(log N) gates, with each gate being either a query gate which applies the map 
\i)\z) I—?- \i)\z(Bxi), or a standard quantum gate (from a fixed, finite basis). It is equivalent (by polynomially 
padding the number of qubits) to allow poly log (A) gates. 

Following Aaronson, our goal will be to design, for each input length A, a distribution on A-bit strings 
that can be distinguished from the uniform distribution by a BQLOGTIME predicate, but not by an ACq 
circuit. As described in Appendix such a distribution can be easily converted to a proper oracle O for 
which BQP° £ PH°. 

1.2 Techniques 

In this section we briefly discuss the techniques we use for each of the main results listed above. 



Showing that our NW distribution is e-almost /c-wise independent. We prove that whenever V is an 
(£,p) design in a universe of size t, the random variable (Ut, AW-^ AJORITY (L7t)) is 0(pk 2 /\/l) -almost k- 
wise independent, for k < o(£ 1 ^p~ 1 ' 2 ). The relevant definition of almost-fc-wise independence (which we 
inherit from MAarlOblO appears in Definition l2.il Recall that this property of our distribution is the technical 
basis of the SZK and BPP pat h results, as well as the connections to the depth-2 GLN conjecture. 

This statement amounts to the assertion that after conditioning on the value of up to k — 1 coordinates, 
the bias (away from 1/2) of any specified A;-th coordinate is at most 0(pk/VI). This is an easy calculation 
when the conditioned coordinates all lie among the first t coordinates (since the k-th coordinate is either 
completely independent, if it lies among the first t coordinates, or else it is MAJORITY applied to a subset of 
£ of the first t coordinates, of which up to k — 1 may be fixed). In the actual proof, when some conditioned 
coordinates lie outside the first t coordinates (which would otherwise be difficult to analyze), we use the 
following simple trick to reduce to the easy case: we replace conditioning on coordinate t + i with condi- 
tioning on all of the coordinates in set Si of the (£, p)-design (which determine it). Since at most p of these 
can affect the bias of the k-th coordinate, we are back in the easy case with up to p(k — 1) bits fixed instead 
of (Jfe-1). 

Showing that our conjecture is sufficient to resolve the BQP vs. PH question. In order to show that 
our conjecture is sufficient to imply an oracle relative to which BQP is not in the PH, we need to discuss the 
quantum part of the argument. Conjectured] implies that the NW generator with certain parameters fools 
ACq, which is one part of the overall argument. The other part is to exhibit a BQLOGTIME algorithm 
that "breaks" this instantiation of the NW generator. Generalizing MAarlObl . our quantum algorithrro will 
receive a random string x G {+1,-1}* (which should be thought of as the input to the NW generator) as 
the first half of its input, and as the second half of its input, either 

1. a second random string in {+1, —1}*, or 

2. a string containing the signs of a unitary U (with entries in {0, 1,-1}) applied to x. 

The algorithm distinguishes the two cases (roughly) by querying x into the phases, applying U, multiplying 
the second string into the phases, and measuring in the Hadamard basis. 

Note that in case (2), each coordinate of the second string is the sign of a +1/ — 1 weighted sum of 
certain coordinates of x; i.e., it computes MAJORITY (with a fixed pattern of inputs negated) on this subset 
of the coordinate of x. Thus, if we can construct a unitary U whose row-supports form an (£, p) design V in 
a universe of size t, then case (2) will be the distribution (Ut, NW^ A]ORlTY (Ut)), and case (1) will be the 
uniform distribution. The parameters of this instantiation of the NW generator will be such that Conjecture 
[Qimphes that it fools ACq. Our task becomes to construct such a unitary U. 

Note that it is not possible to simply take an existing (£, p) design (random, or other explicit constructions 
that appear in the literature [NW94, HR03]) and attach +/— signs to the elements of the sets so as to make 
their characteristic vectors pairwise orthogonal, which is what is needed for them to come from the rows of 
a unitary U. On the other hand we have a different setting of the parameters in mind than usual: we want p 
to be unusually small (a constant), but the number of sets in the design is also unusually small (only poly(£) 
instead of exp(-Q). For these parameters we manage to obtain the required (£,p) design using a geometric 
construction, in which the sets are the characteristic vectors of pairs of lines in an affme plane. The strong 
symmetries in this construction allow us to assign +/— signs to the elements of each set to achieve pairwise 
orthogonality of their characteristic vectors. In fact these set systems have only t/2 (rather than t) sets in 



2 We ignore normalization factors in this discussion. 



them, so the resulting unitaries will have the required properties only among half of their rows, but a small 
modification of the distribution given to the quantum algorithm in case (2) above can handle this without 
difficulty. 

In Section l4~2l we give a local decomposition (see Section [3?T1 for the formal definition) of these unitaries, 
which is necessary to have an efficient quantum algorithm. This is the most technically involved part of the 
paper. We also describe a modification of our construction that is extremal in the sense that it optimizes 
all relevant parameters simultaneously: all rows of the unitary participate, we have p ^ 2, and t ^ £ 2 . 
This is not required for our results, but it is aesthetically pleasing. We have been unable to find a local 
decomposition that would enable us to actually use this construction as the basis of an efficient quantum 
algorithm, and we leave finding such a decomposition as an intriguing open problem. 

2 NW distributions are e-almost &>wise independent 

Aaronson BAarlObB used the following definition of e-almost fc-wise independence in order to formulate his 
"Generalized Linial-Nisan" (GLN) conjecture. 

Definition 2.1. A random variable D distributed on {0, l} r is e-almost A;-wise independent if for every k 
distinct indices ii,i 2 ,- ■ ■ ,ik £ [ r ]> an d every ai, a 2 , • • • > oc k £ {0, 1} we have: 

< Pr[Ai = gl A D i2 = a 2 A • • • A D ik = a k ] 

£ ^ 2 _ k ^ + e. 

The following is the GLN conjecture, which is now known to be false for depth 3 and higher MAarlOaL 
but remains open for depth 2: 

Conjecture 2 ( lAarlObl ). Let D be any random variable distributed on {0, l} r that is 1/r 'd' -almost 
r ' W-wise independent Then for every constant-depth circuit C of size at most m = T'° , 

| Pr[C(D) = 1] - Pr[C(f/ r ) = 1]| < o(l). 



We now show that certain instantiations of the NW generator, including the ones in our Conjecture [Q 
are e-almost fc-wise independent, with parameters such that the GLN conjecture implies ours. 

Theorem 2.2. Let D = {S±, S 2 , ■ ■ ■ , S m } be an (£,p) design in a universe of size t. Then for every 
k < o{£ ' p ' 2 ), the jointly distributed random variable 

(C,D) = (U t ,NW™ A]ORlTY (U t )) 

is 0(pk 2 /vt) -almost k-wise independent. 

Proof. Fix k\ distinct indices i\ , i 2 , . . ■ , i kl S [t] and k 2 distinct indices ji,j 2 , ■ ■ ■ , jk 2 S [ m ] w i tn ki + k 2 ^ 
k,andfixa 1 ,a 2 ,...,a kl ,(3 1 ,f3 2 ,... ,/3 k2 G {0,1}. 
We compute the probability 

p = Pr[C h = ai A C i2 = a 2 A • • • A C iki = a kl A D h = [3 1 A D J2 = [3 2 A • • • A D jk2 = /3 k2 ], 



3 One might expect to see k = poly log(r) independence rather than k = r 11 ' 1 ', in analogy with the Linial-Nisan conjecture. 
Aaronson uses the stronger parameter setting (making the GLN conjecture easier) because it is sufficient for his construction; it is 
for ours too. 



which we write as 



f fei 

Y[ Pr[Ci u , = a w \C h = a\ A C 2 = a 2 A • • • A C, 

\w=l 
t k 2 

f[ Pr[D jw =(3 j \C il =a 1 AC2 = a 2 /\---/\ C ihi 



1>W — 1 



ou 



a 



Ik, 



VW=1 



A% = fo A D i2 = fa A • • • A D^ = Ab-i]) • 

Clearly the first &i terms of the product are exactly 1/2, since C is uniform on t-bit strings. Now, consider the 
ui-fh factor, denoted p w , in the second part of the product. The key maneuver is to replace the conditioning 
on Dj v (for v < w) with conditioning on D s for s E S w D S v . This is permissible because Dj v can affect 
Dj w only through the common elements of their associated sets S v and S w . Note that because |5 , u; nS' u | ^ p, 
the total number of coordinates that are being conditioned upon is ^ pk. 

Recall that \S W \ = £, and that the bit D w is the majority (with certain inputs negated) of the specified £ 
coordinates of C. Without conditioning, we could compute Pr[D w = 1] by 

1 e 

¥' ^ [r 

r=r//2] 

We want to compute instead p w , which is the same probability conditioned on up to pk of the coordinates 
of C. The maximum value of p w is thus 



< 



1 

¥ 



E 



r=\t/2\-pk 



A simple calculation using Stirling's Approximation shows that 
upper bound of 

p w ^\ + 0(pk/^l). 



^ 0(4=) for all r, so we obtain the 



A symmetric argument shows that 



pw > \ - oipk/VI). 



Thus we conclude (using that k < o(s/I/(pk))): 



< f 1/2 + Oipk/Vl)) ^ [(1/2) (l + 0(pk/V£) 



and 



P 



> f 1/2 - Oipk/Vl)) ^ [(1/2) (l - 0{pk/V~£) 



< T k (l + 0{pk 2 
^ 2- k (l - 0(pk 2 



as required. 



□ 



3 A general framework 

In this section we describe how to turn any efficiently quantumly computable unitary into a distribution that 
can be distinguished from uniform by a BQLOGTIME machine. Our framework generalizes the setup in 
IAarlO b'1. The "quantum part" of the paper is almost entirely contained within this section, so we review 
some relevant preliminaries below before describing the main result. 



3.1 Quantum preliminaries 

A unitary matrix is a square matrix U with complex entries such that UU* = I, where U* is the conjugate 
transpose. Equivalently, its rows (and columns) form an orthonormal basis. We name the standard basis 
vectors of the N = 2" -dimensional vectorspace underlying an n-qubit system by \v) for v G {0, 1}™. A 
local unitary is a unitary that operates only on b = 0(1) qubits; i.e. after a suitable renaming of the standard 
basis by reordering qubits, it is the matrix U <g> I 2 n-t, where U is a 2 b x 2 b unitary U. A local unitary can 
be applied in a single step of a quantum computer. A local decomposition of a unitary is a factorization into 
local unitaries. We say an N x N unitary is efficiently quantumly computable if this factorization has at 
most poly(n) factors. 

A quantum circuit applies a sequence of local unitaries ("gates") where each gate is drawn from a fixed, 
finite set of gates. There are universal finite gate sets for which any efficiently quantumly computable unitary 
can be realized (up to exponentially small error) by a poly(n)-size quantum circuit [KSV02]. 

In this paper, the only manner in which our BQLOGTIME algorithm will access the input string x is 
the following operation, which "multiplies x into the phases". There are three steps: (1) query with the 
query register clean, which applies the map \i)\0) H> |i)|0 © Xi) (note each Xi is in {0, 1}); (2) apply to the 
last qubit the map |0) i— > — 10), |1) i-» |1); (3) query again to uncompute the last qubit. When we speak of 
"multiplying x into the phase" it will be linguistically convenient to speak about x as a vector with entries 
from {+1, —1}, even though one can see from this procedure that the actual input is a 0/1 vector. 

The following lemma will be useful repeatedly. It states (essentially) that a block diagonal matrix, all 
of whose blocks are efficiently quantumly computable, is itself efficiently quantumly computable. This is 
trivial when all of the blocks are identical, but not entirely obvious in general. The proof is in Appendix lAl 

Lemma 3.1. Fix N = 2 n and M = 2 m . Let U be an N x N block diagonal matrix composed of the 
blocks U±, U2, ■ ■ ■ , Um, where each Ui is a N/M x N/M matrix that has a poly (n)-size quantum circuit, 
a description of which is generated by a uniform poly(n) time procedure, given input i. Then given three 
registers of m qubits, n — m qubits, and poly(ra) qubits, respectively, with the third register initialized to 
|000 • • • 0), there is a poly(ra) size uniform quantum circuit that applies U to the first two registers and 
leaves the third unchanged. 

3.2 The quantum algorithm 

Let A be any N x N matrix with entries in {0, 1, —1} and pairwise orthogonal rows, and define S(A, i) 
to be the support of the i-th row of matrix A. Define A to be the matrix A with entries in row i scaled by 
l/y/\S(A,i)\, and observe that A is a unitary matrix. 

Define the random variable Da,ai = (x,z) distributed on {+1,— 1} 2N by picking x G {+1,— 1} N 
uniformly, and setting the next N bits to be z E {+1, —1}^ defined by z t = sgn((^4x)j) = sgn((Ax)i) for 
i ^ M and z% independently and uniformly random in {+1, —1} for i > M. 

It will be convenient to think of M = N initially; we analyze the general case because we will eventually 
need to handle M = N/2. Below, we use U2N to denote the random variable uniformly distributed on 
{+l,-l} 2Ar - 

Theorem 3.2. Let N = 2 n for an integer n > 0, and let M = fi(JV). For every matrix A G {0, 1, -1}^^ 
with pairwise orthogonal rows, there is a BQLOGTIME algorithm Qa that distinguishes Da m from U2N: 



4 We could extend this framework to matrices with general entries, but we choose to present this restriction since it is all we 
need. 



i.e., there is some constant e > Ofor which: 

I Pr[Q A (D AM ) = 1} - Pt[Q a (U 2N ) = 1]| > e. 
The algorithm is uniform if A comes from a uniform family of matrices. 

Proof. The input to the algorithm is a pair of strings x, z £ {+1, — 1}^. 
The algorithm performs the following steps: 

1. Enter a uniform superposition -A= ^ie{o i} n I*) an( ^ multiply x into the phase to obtain -4= X^ejo i}™ X *I0 

2. Apply A to obtain ^= Eie{o,i}4^)iK)- 

3. Multiply z into the phase to obtain -i= ^ iG | nn Zj(Ax)j|i). 

4. Define vector u; by ioj = -j=Zi(Ax)i. Apply the N x N Hadamarqj H to obtain X^ejo i}"-(-ff' u; )iK)> 
and measure in the computational basis. Accept iff the outcome is n . 

We first argue that the acceptance probability is small in case (x, z) is distributed as U2N- This follows 
from a symmetry argument: for fixed x, and w as defined in Step 4 above, the vector Hw above has every 
entry identically distributed, because z is independently chosen uniformly from {—1, +1}^ and every row 
of H is a vector in {—1, +1}^. In particular this implies that the random variable (Hw)f is identically 
distributed for all i. Together with the fact that ^j(-Hw) 2 = 1, we conclude that E[(Hw)f] = l/N. Then 
by Markov, with probability at least 1 — 1/y/N we accept with probability at most y/N/N, for an overall 
acceptance probability of at most 2/\/~N. 

Next, we argue that the acceptance probability is large in case (x, z) is distributed as Da,m- Here we 
observe that for i ^ M, Wi = -4^\(Ax)i\ and hence E[v)i] = 1 . 0(y / |5'(A,i)|) = £1(1/ y/N) 

(since before scaling, wi is just the distance from the origin of a random walk on the line, with \S(A, i)\ 
steps). For i > M, we simply have E[wi] = 0. Then E^Wi] = M ■ £1(1/ y/N) = £l(y/N), so 
E[(Hw)on] = £1(1). Since the random variable (Hw) on is always bounded above by 1, we can apply 
Markov to its negation to conclude that with constant probability, it is at least a constant e (and in such cases 
the acceptance probability is at least e 2 ). Overall, the acceptance probability is £1(1). □ 

The BQLOGTIME algorithm for what Aaronson calls FOURIER CHECKING in IIAarlObll is recovered 
from the above framework by taking A to be a DFT matrix (and M = N). 

4 Unitary matrices with large, nearly-disjoint row supports 

In this section we construct unitary matrices A with the additional property that all or "almost all" of the row 
supports S(A, i) are large and have bounded intersections. We also show that these unitaries are efficiently 
quantumly computable. This is the final part of our main result: the distribution Da,m (it will turn out that 
M will be half the underlying dimension) is distinguishable from uniform by a BQLOGTIME algorithm by 
Theorem l3.2l and at the same time Da,m can be seen as an NW distribution that by Conjecture Q] fools A Co 
(see Section[5]for the precise statement). 



5 This is the matrix H whose rows and columns are indexed by {0, 1}™, with entry (i,j) equal to — l'*' 3 ' /y/N 



4.1 The paired-lines construction 

We describe a collection of q 2 /2 pairwise-orthogonal rows, each of which is a vector in {0, +1, — l} q . We 
identify q 2 with the affine plane ¥ q x ¥ q , where q = 2 n for an integer n > 0. Let -Bi, i?2 be an equipartition 
of Wq, and let : B\ — > B2 be an arbitrary bijection. Our vectors are indexed by a pair (a, 6) G F g x £?i, 
and their coordinates are naturally identified with ¥ q x ¥ q : 

r } ( -I y = ax + b 

[ +1 y = ax + 0(6) 

Notice that v(a, b) is —1 on exactly the points of ¥ q x ¥ q corresponding to the line with slope a and y- 
intercept b, and +1 on exactly the points of ¥ q x ¥ q corresponding to the line with slope a and y-intercept 
4>{b). So each v(a, b) is supported on exactly a pair of parallel lines. Orthogonality will follow from the 
fact that every two non-parallel line-pairs intersect in exactly one point, as argued in the proof of the next 
lemma. 

Lemma 4.1. The vectors defined in Eq. (0) are pairwise orthogonal, and their supports form a (2q, 4) 
design. 

Proof. Consider (a, b) 7^ (a', b'). If a = a' then the supports of v(a, b) and v(a, b') are disjoint. Otherwise 
a ^ a' and there are exactly four intersection points (obtained by solving linear equations over ¥ q ): 

• (x = (b' — b)/(a — a'),y = ax + b) = (x = (b' — b)/(a — a'),y = a'x + b'), which contributes 
(—1) • (—1) = lto the inner product, and 

• (x = {b 1 - <f>(b))/(a - a'),y = ax + 0(6)) = (x = (b' - <f>(b))/{a - a'),y = a'x + b'), which 
contributes (+1) • (— 1) = —1 to the inner product, and 

• (x = (0(6') _ b)/(a - a'),y = ax + b) = [x = (0(6') - b)/(a - a'),y = a'x + 0(6')), which 
contributes (—1) • (+1) = — 1 to the inner product, and 

. (x = (0(6') - <f>(b))/ (a - a'),y = ax + 0(6)) = (x = (0(6') - 0(6))/(a - a'),y = a'x + 0(6')), 
which contributes (+1) • (+1) = lto the inner product. 

The sum of the contributions to the inner product from these four points is zero. The computation of the 
support size is straightforward. □ 

In Appendix EJ we give another construction (which is not needed for our main result) in which the 
number of vectors is exactly equal to the dimension of the underlying space (giving rise to a unitary in 
which "all rows participate" instead of only half of the rows). 

4.2 A local decomposition 

We new describe an q 2 x q 2 unitary matrix that is efficiently quantumly computable and has the (normalized) 
vectors v(a, b) from Eq. ([J) as q 2 /2 of its q 2 rows. We recall that q = 2 n for an integer n > 0. 

Proposition 4.2. The following q x q unitary matrices are efficiently quantumly computable: 

• The DFT matrix F with respect to the additive group of¥ q . 

• The inverse DFT matrix F^ 1 with respect to the additive group of¥ q . 



• The q x q unitary matrix B with -hs(I q /2\ ~ Iq/2) as its first q/2 rows, -jjilq/il — Iq/i\Iq/i\ ~ Iq/i) 
as its next q/4 rows, ^g(i,/ 8 | - ^/sl-^/sl ~ I q/&\ I q/%\ ~ ^g/sl^/sl ~ Iq/%) as its next g/8 rows, etc... 
and whose last row is -7^(1, 1, 1, . . . , 1). 

Proof. The first two matrices are well-known to be efficiently quantumly computable. For the last one we 
make use of the Hadamard matrix 

Let Bi be the q x q identity matrix with its lower right 2* x 2* submatrix replaced by the matrix H <g) 
I 2 i-i. Each Bi is efficiently quantumly computable by Lemma [37X1 It is then easy to verify that B = 
BiB 2 B 3 ■ ■ ■ B„. D 

Lemma 4.3. Let a be a generator of the multiplicative group of ¥ q . For c £ F„, let D c denote the q x q 
diagonal matrix 

-L ■ diag (yq, (-ir {al - c \ (-If 1 (a2 - c \ (-l) Tr (q3 ' c) , • • • , (-l) Tr (a9_1 ' c) ) , 

and let D' c denote the q x q diagonal matrix 

4= • diag (0, (-l) Tr ^ C \ ( _l ) Tr(« 2 - C ) ) ( _ 1)Tr («3. c); ^^Tr^-Lc)^ 

Then the q 2 x q 2 matrix D whose (i,j) block (with i,j £ ¥ q ) equals Dij if i = j and D\, otherwise, is 
efficiently quantumly computable. 

Proof. Consider the q 2 x q 2 block-diagonal matrix that has as its (k, k) block the matrix whose (i, j) entry 
is (-l) Tr («"*) for A; G {1, 2, . . . , q - 1} and whose (0, 0) block is I q . Each such block except the (0, 0) 
block is the DFT matrix F with its rows (or equivalently, columns) renamed according to the map j 1— > ja k . 
The F matrix is efficiently quantumly computable and the map j \-t ja k is classically and reversibly (and 
thus quantumly) efficiently computable. Thus each q x q block on the diagonal is efficiently quantumly 
computable. By Lemma I3TT1 the entire matrix is efficiently quantumly computable. 

If we index columns by (i,i') G {¥ q ) 2 and rows by (j,f) £ {¥ q ) 2 , then the desired matrix D is the 
above block-diagonal matrix with the order of the two indexing coordinates for the rows transposed, and the 
order of the two indexing coordinates for the columns transposed. □ 

Theorem 4.4. The q 2 x q 2 matrix (I q ® B) ■ (I q ® F) ■ D ■ (I q g) F~ l ), which is efficiently quantumly 
computable, has the vectors v(a, b)from Eq. as q 2 jl of its rowo 

Proof. Let S c be the q x q permutation matrix S c that (when multiplied on the right) shifts columns, identified 
with ¥ q , by the map x 1— y x + c. Let J be the all-ones matrix. The main observation is that 

1 1 \fq-l 
FDcF- 1 = —S c - ^ J, 

and that 

FD' c F- 1 = ^-S c -^-J. 



To be precise, these are the v(a, b) with respect to some equipartition B\ , B2 and some bijection c 
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Thus the final matrix has in its (i, j) block (with i, j € ¥ q ) the matrix 

if i = j, and 

1 „ 1 



B '{vl Sij ~vl J 

otherwise. Observe that B J has all zero entries except for the last row, so in particular, the first q/2 rows 
of the (i,j) block are (l/y/2q)(I q /2\ — I q /2)Sij- Therefore the q/2 rows of the entire q 2 x q 2 matrix 
corresponding to the top halves of blocks (i,j) as j varies, give the vectors v(i, b) for b G B\, if we identify 
columns with ¥ q x ¥ q as follows: columns of the j-th block are identified with {j} x ¥ q , and within the j-th 
block, B\ is the first q/2 columns and B2 is the next q/2 columns (and the bijection maps the element 
associated with the 6-th column to the element associated with the (b + q/2)-th column). 

Then, as i varies over ¥ q , we find all of the vectors from Eq. CQ) as the "top-halves" of each successive 
set of q rows of the large matrix. □ 

5 Putting it all together 

Let A be the matrix of Theorem|4~U and set N = q 2 and M = N/2. By Theorem[T2l there is a BQLOG- 
TIME algorithm that distinguishes Da,m from the the uniform distribution U2N- 

By Lemma |4~T1 the first M rows of A have supports forming a (2\/N, 4)-design V. It is also clear that 
for i ^ M, the (JV + z)-th bit of Da,m computes MAJORITY (with a fixed pattern of inputs negated) on those 
among the first N bits that lie in S(A, i). Thus D A)M is exactly the distribution (U N , NW$ MORlTY (U N )) 
followed by N/2 additional independent random bits (which can have no impact on the distinguishability 
of the distribution from uniform). Thus by Conjecture [Q no constant-depth, polynomial-size circuit can 
distinguish Da,m from U2N, which completes the argument. 

We briefly describe why the standard NW argument fails (and why we must rely on Conjectured)). The 
standard argument proceeds as follows: define 2N + 1 hybrid distributions Da,m = Ho, Hi, ... , H2N = 
U2N, that interpolate between D a ,m an d ^W- Given a distinguishing circuit C : {0, 1} 2N — > {0, 1} for 
which 

I Pr[C(A4 )M ) = 1] - Pt[C(U 2N ) = l]\>e, 
we argue that for some i 

I Pi[C(Hi) = 1] - Pr[C(H +1 ) = 1]| > e/M 

by the triangle inequality (and here we are making the additional observation that Hq = H\ = ■ ■ ■ = Hjy 
and fljv+M+i = Hn + m+2 = • • • = H2N so the gap of e must be spread over only M differences). 
From here, we obtain a next-bit-predictor with advantage e/M and hardwire at most M lookup tables of 
size 2 P , to obtain a circuit of size \C\ + 0(2N) + 0(2 P M) that computes MAJORITY (on 2y/~N bits) with 
success probability 1/2 + e/M. The problem is that this advantage over random guessing is not sufficient to 
obtain a contradiction for the function MAJORITY, which can be computed easily with success probability 
1/2 + f^iV 1 / 4 ), for the parameters coming from the unitary A from Theorem 14.41 

Even if we had a unitary whose rows formed an (£, p)-design with better parameters, the standard argu- 
ment fails. This is because it must be that £ ^ N, and yet we must also have M 3> y/N for Da,m to be 
even statistically noticably different from uniform. But the trivial circuit that outputs an arbitrary bit of the 
input succeeds with probability 1/2 + £1(1 /y/l) which is larger than the 1/2 + e/M that comes out of the 
standard NW argument above. 
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6 Our conjecture: discussion 

We believe that Conjecture [Qis quite approachable, given the large literature and variety of proof techniques 
concerning pseudorandom generators and related objects. As examples, we mention two ideas from the 
literature that seem relevant (although obviously they haven't yet led to a solution). 

The first is the analysis by Sudan, Trevisan, and Vadhan BSTV01I1 of the NW PRG when applied to a 
"mildly hard" predicate (i.e., one for which small circuits fail on only a 5 fraction of the inputs). They prove 
that the output distribution is computationally indistinguishable from a distribution having high entropy by 



invoking Impagliazzo's hard-core lemma [Imp95], and arguing that output bits of the NW PRG "often" fall 
in a hard core that is considerably harder on average than the original mildly hard predicate. 

We also have a hard predicate whose average-case hardness falls short of what we would need for 
Conjecture[T]tobetrue via the standard argument; i.e., if MAJORITY on £ bits were 1/2 +1 /poly (£) hard, we 
would be done. The high-level message of Sudan, Trevisan and Vadhan is that this hardness can be achieved 
(essentially) at the price of comparing to a high-entropy distribution rather than the uniform distribution. 
Our BQP algorithm is fairly robust and would likely still work on a sufficiently high entropy distribution 
(it is only necessary to "kill" correlations with a particular element of the Hadamard basis). However, the 
central technical component of the proof in MSTVOll is the Impagliazzo hard-core lemma [Imp95], and a 



sufficiently strong hardcore lemma is not known for ACq. In fact, the function MAJORITY has no hard core: 

Proposition 6.1. No subset of MAJORITY is e -hardcore for ACq, for any e < 1/n. 

Proof. Given a x G {0, l} n , the randomized procedure that picks a random one of the n input bits and 
outputs it succeeds in computing MAJORlTY(x) with probability at least 1/2 + 1/n. This procedure has the 
same success probability over any subset S C {0, l} n . For any fixed S, there is a fixing of the random bits 
that preserves this success probability, and which results in a circuit of size 1 (it just outputs Xj for some 
fixed i). □ 

Nevertheless, it may be that replacing the uniform distribution with a high minentropy one can be useful in 
circumventing the loss from the hybrid argument. 

The second approach is to directly circumvent the loss due to the hybrid argument. This is explicitly 
addressed in [BSW03 ], where they show that the loss can indeed be avoided in certain computational models. 
One of these models is "PH circuits," which sounds superficially like it might be relevant to our setting. What 
is actually needed to use their ideas is the ability to approximately count an efficiently recognizable set, in 
the same class that recognizes the set. Such a statement is not known (or expected) for ACq, but it is still 
possible that other ideas could circumvent the hybrid argument for ACq. 

However, any route to proving Conjecture Q] faces the same challenge discussed in MAarlObl : the proof 
must be "non-black-box" in the sense that it can't apply to arbitrary low-degree polynomial functions in 
addition to its native Boolean setting. This is because the quantum algorithm of Theorem 13.21 implies (via 
[BHC + 01 ]) the existence of a constant-degree, multivariate real polynomial computing the acceptance prob- 
ability (and hence distinguishing the NW distribution from uniform). A black-box reduction would trans- 
form a distinguisher of this form to a similarly low-degree polynomial approximating MAJORITY, but we 
know that no such polynomial for approximating MAJORITY can exist [Smo93]. So any proof of Conjecture 
[Qmust prove that the distribution in question fools ACq in some way that does not replace ACq circuits by 
low degree approximating polynomials and then argue about those. 

Here are some ideas that could plausibly form the basis of a proof of Conjecture [TJ We consider the 
simpler situation in which the distributions being compared are iV 2 independent copies of the random vari- 
able D - where D = (Un, MAJORITY (Un)) - and N 2 independent copies of the random variable Un+i 
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distributed uniformly on N + 1 bits. This corresponds to the NW construction we have been working with, 
if the underlying nearly-disjoint sets are taken to be completely disjoint. ACq should be incapable of dis- 
tinguishing these distributions; here is the intuition. First, observe that there are no correlations between 
blocks, so the hypothetical distinguisher must examine each block separately. Since ACo cannot approxi- 
mate majority well, we know that the only "accessible" information about each block is a "noisy bit" saying 
whether it is distributed according to D or C/jv+i - in the case of uniform, this bit is 1 with probability 1/2, 
and in the case of distribution D, this bit is 1 with probability 1/2 + Q(l/y/~N). How can a hypothetical 
distinguisher aggregate these noisy bits across the N 2 independent copies? In one case, the expected sum of 
these noisy bits (l/2)iV 2 and in the other case it is (1/2 + Q(l/y/N))N 2 , and by concentration of measure, 
the sum is highly likely to be close to these expectations. So the hypothetical distinguisher only needs to tell 
the difference between N 2 fair coin flips versus N 2 slightly biased coin flips. But exactly this task is hard 
for ACo (which can be seen by reduction from MAJORITY, as written down in Corollary 12 of [AarlOb]). 
So, it seems that either the distinguisher must approximate MAJORITY better than allowed (to get less noisy 
bits), or it must be detecting very small bias in a sequence of coin flips. In upcoming work IFSU VlOl . we 
are able to show that indeed ACq cannot distinguish these two distributions. This is encouraging because it 
shows that the aforementioned "non-black-box" requirement is not insurmountable. Extending this result to 
the not-completely-disjoint case still seems challenging, however. 



Acknowledgements. We thank Scott Aaronson, Yi-Kai Liu, and Emanuele Viola for helpful discussions. 
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A Omitted proofs 

Proof. (Of Lemma |3~TI ) Fix a finite universal set of quantum gates, of cardinality d, each of which operates 
on at most b qubits. A convenient notion will be that of an oblivious circuit, in which we fix an ordering (say, 
lexicographic) on [n] b , and the steps of the circuit are identified with poly(n) cycles through this list: when 
we are on step (ai, <Z2, • • • , a&) £ M 6 in one of these cycles, we operate on qubits a\, a,2, ■ ■ • , ct6- Clearly, 
any (uniform) quantum circuit can be converted to a (uniform) "oblivious" circuit with at most an n b blowup 
by inserting dummy identity gates. 

Let n k be an upper bound on the size of the oblivious circuits obtained in this way for the various Ui. 
The circuit for each Ui is now a sequence 



Ai) _ (Ai) Ai) Ai) Ai)\ 



with each jy G [d] specifying which gate to apply at step £ in the oblivious circuit for U( (and because 
the circuit is oblivious, the qubits to which this gate should be applied are easily determined from £). Let 
/ : [M] — > [d] n be the function that maps i to the vector jW, 
Now we describe the promised efficient quantum procedure: 

1. Apply the map derived from / that takes \i)\z) to \i)\z © f{i)), to the first and third register. We view 

k 

the contents of the third register as a vector in [d] n . 

2. Repeat for £ = 1, 2, 3, . . . , n k : apply the "controlled unitary" that consults the £-th component of the 
third register, and applies the specified gate to qubits (ai, ai, ■ ■ ■ , a&) of the second register (again, 
(ai, d2, ■ ■ ■ , a,),) are easily determined from £ because the circuit is oblivious). The important obser- 
vation is that this "controlled unitary" operates on only constantly many qubits. 
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3. Repeat step 1 to uncompute the auxiliary information in the third register. 



□ 



B A unitary in which all rows participate 



There is a tension between the triple goals of (1) having many pairwise orthogonal vectors, (2) maintaining 
bounded pairwise intersections of the supports, and (3) having the supports large. It is natural to wonder 
whether the above construction (in which we found a number of vectors equal to 1/2 the dimension of the 
underlying space) is in some sense optimal. For example, is there some barrier to simultaneously optimizing 
all three goals? 

Here we show that one can indeed optimize all three goals at the same time, by specifying a construction 
that builds on the "paired-lines" construction. Our construction will have as many pairwise orthogonal 
vectors as the dimension of the underlying space (which is obviously as many as is possible); it will have 
intersections sizes bounded above by 2 (the upper bound cannot be without constraining the product of the 
number of rows and the support sizes to be at most the dimension of the underlying space, and no pairwise 
intersections can have cardinality one without violating orthogonality); the support sizes will be at least 
the square root of the dimension of the underlying space (and one can't exceed that without having larger 
intersection sizes). 

This construction is not needed for our main results, but we find it aesthetically pleasing that one can 
optimize all three parameters in this way. We don 't know of a local decomposition for this matrix, and we 
leave finding one as an intriguing open problem. 

While the construction of Section 14.11 needed characteristic two, the present construction needs odd 
characteristic. We fix ¥ q with q an odd prime power, and we choose a subset Q C F* of size (q — l)/2 for 
which Q n — Q = 0, where — Q = {—x : x G Q}. Our vectors will have q 2 — 1 coordinates, identified with 
the punctured plane P = ¥ q x ¥ q \ {(0, 0)}. 

We have three types of vectors in{0,— 1, +1} P : first, for all a £¥ q and b G Q 



V a ,b[x,y] = ' 



' +1 x = 0,y = b 

+1 x£Q,y = ax + b 

— 1 x £ Q,y = ax — b 

otherwise 



(2) 



second, for all a G ¥ q and b G —Q 



Va,b[ x ^] = < 



+1 x = 0,y = b 

+ 1 x£—Q,y = ax + b 

— 1 x £ —Q, y = ax — b 

otherwise 



(3) 



and finally, for each c G F* 



u c [x,y\ 



+1 x = c, y G F g 
otherwise 



(4) 



Lemma B.l. The vectors defined in Eqs. (0), ((3) and (0) are pairwise orthogonal and their supports form a 
(q, 2)-design. 
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Proof. It is an easy computation to see that the support of each of the vectors has cardinality q. We now argue 
that they are pairwise orthogonal. There are several cases depending on the two rows under consideration: 

1. v a j) and v a ifl\ if one comes from Eq. (O and the other from Eq. Q then the supports are disjoint. So 
we assume both come from Eq. ® or both come from Eq. ([3]). 

(a) Both come from Eq. © and b = b'\ we have one intersection (0, b) (which contributes +1 to 
the inner product) and exactly one of the following two intersection points: (x = —2b/ {a — 
a'),ax + b = a'x — b) or (x = 2b/ (a — a'),ax — b = a'x + b), which contributes —1 to the 
inner product. We have exactly one because the two x-values are negations of each other, and 
non-zero, so exactly one is in Q. 

(b) Both come fromEq. (|2]) and b ^ b': we have exactly one of the following two intersection points: 
(x = (b' — b)/(a — a'),ax + b = a'x + b') or (x = (—b' + b)/(a — a'),ax — b = a'x — b'), which 
contributes +1 to the inner product, and exactly one of the following two intersection points: 
(x = (b' + b)/(a - a'),ax - b = a'x + b') or (x = (-b' - b)/(a - a'), ax + b = a'x - b'), 
which contributes —1 to the inner product. For each pair, there is exactly one of the pair of 
possible intersection points because the two x-values are negations of each other, and non-zero, 
so exactly one is in Q. 

(c) Both come from Eq. (O and b = b'\ identical to case ([Tab above, with — Q in place of Q. 

(d) Both come from Eq. © and b ^ b'\ identical to case (fTbl) above, with — Q in place of Q. 

2. u c and u' c : these have disjoint supports for c ^ d . 

3. v a f) and u c : if c G Q, then the support of u c intersects the support of v a j only if v a & comes from 
Eq. (0, and then we get one intersection at point (x = c,ax + b) which contributes a +1 to the inner 
product, and one intersection at point (x = c,ax — b) which contributes a — 1 to the inner product. If 
c G Q, then the support of u c intersects the support of v a ^ only if v a ,b comes from Eq. ©, and we 
have an identical argument, with — Q in place of Q. 

This is a complete enumeration of cases, and in no case did we have more than 2 intersection points. □ 

We conclude this section with a question: are these matrices related in some way to the DFT matrix over 
some family of non-abelian groups (e.g. the affine group F* x ¥ q ), or are they indeed completely different 
from the unitaries seen before in quantum algorithms? 

C Converting a distributional oracle problem into a standard oracle 

We include this section for completeness, a similar proof appeals in MAarlOall . 

We have two ensembles of random variables D\ = {Di„},D2 = {^2,n} over (iV = 2 n )-bit strings 
for which BQLOGTIME can distinguish the two distributions but ACq cannot. Then when D\ and L>2 are 
viewed as distributions on (truth-tables of) oracles, there is a BQP oracle machine that distinguishes the two 
distributions, but no PH oracle machine can distinguish them. Specifically, we have that there exists a BQP 
oracle machine A for which 

Pr[^ Dl (l n ) = 1] " Pr[^ D2 (l") = 1] > e 
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while for every PH oracle machine M, 

Pr[M Dl (l n ) = 1] - Pr{M D2 (l n ) = 1] < 8 < e, 

(here we use standard techniques - see, e.g., [Has87] - which show that on any fixed input, the output of a 
PH machine as a function of the oracle can be seen as an ACH_| circuit) and we have e > 5 for sufficiently 
large n ^ uq. 

We now convert the distributions on oracles into a single oracle O for which BQP° $Z PH° . Let L be 
a uniformly random unary language in {1}*. For each n, if l n S L, sample a 2 n -bit string x from D\ and 
define oracle O restricted to length n so that x is its truth table; otherwise sample a 2 ra -bit string x from D2 
and define oracle O restricted to length n so that x is its truth table. 

First, note that 

Pr[A°{l n ) = L(l n )} = (1/2) • Pr[A Dl (l n ) = 1] + (1/2) • Pr[,4 D2 (l™) = 0] > 1/2 + e/2. 
Now fix any PH machine M, and note that for sufficiently large n, 

Pr[M°(l n ) = L(l n )] = (1/2) • Pr[M Dl (l") = 1] + (1/2) • Pr[M D2 (l") = 0] < 1/2 + 5/2. 

Consequently, since e > 5 there is a fixed choice for the oracle at length n such that L(l n ) = A°(l n ) / 
M (l n ), for sufficiently large n. 

Fix such a choice for the oracle at length n, and consider another PH machine M' . By the same argu- 
ment, we can find another sufficiently large input length n' where L(l n ) = A°(\ n ) ^ M°(l n )u 

Continuing in this way, we obtain a single oracle such that for any PH machine M there exists some n 
for which A°{l n ) / M°(l n ). 



7 Recall that we are using "ACo" to refer to size exp(poly log n)-size constant depth circuits in this paper. 

8 We have assumed that our machines, on an input of length n, only query the oracle at inputs of length n. This can be ensured 
by working with input lengths that are sufficiently spread out (so that the machine cannot afford to formulate queries to the next 
largest length, and so that the oracle at shorter lengths can be hardcoded.) 
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